encrypted storage (on Pi-2)

I used this procedure today to create encrypted storage on two 64GB-usb sticks on a Raspberry Pi 2.

Advantage: nobody can read the backups but me
Disadvantage: I need to type a long passphrase at boot (twice)

# prepare to enter a passphrase
cryptsetup luksFormat /dev/sda --cipher=aes --key-size=256
cryptsetup luksFormat /dev/sdb --cipher=aes --key-size=256

# verify device
cryptsetup isLuks /dev/sda -v
cryptsetup isLuks /dev/sdb -v

# dump metadata (just for information)
cryptsetup luksDump /dev/sda
cryptsetup luksDump /dev/sdb

# find uuid (so you can add them with uuid to /etc/crypttab)
cryptsetup luksUUID /dev/sda
cryptsetup luksUUID /dev/sdb

# create mapper devices
cryptsetup luksOpen /dev/sda encrypt-backup
cryptsetup luksOpen /dev/sdb encrypt-archive

# verify dm devices
dmsetup info

# mkfs (Wouter told me to use ext4 ;-)
mkfs.ext4 /dev/mapper/encrypt-backup
mkfs.ext4 /dev/mapper/encrypt-archive

# tune reserved space for root
tune2fs -m2 /dev/mapper/encrypt-backup
tune2fs -m2 /dev/mapper/encrypt-archive

# mount
mount /dev/mapper/encrypt-backup /srv/encrypt-backup
mount /dev/mapper/encrypt-archive /srv/encrypt-archive

No comments: